[drupal-devel] [bug] Remove code containing user access controls
from profile theme functions
robertDouglass
drupal-devel at drupal.org
Mon Aug 1 12:37:11 UTC 2005
Issue status update for
http://drupal.org/node/27949
Post a follow up:
http://drupal.org/project/comments/add/27949
Project: Drupal
Version: cvs
Component: profile.module
Category: bug reports
Priority: normal
Assigned to: robertDouglass
Reported by: robertDouglass
Updated by: robertDouglass
Status: patch (code needs review)
Attachment: http://drupal.org/files/issues/profile_fix_acces_control_in_theme.txt (2.36 KB)
The two theme functions in profile.module both violate good theming
practice by running user control logic in the middle of them. Worse
yet, this isn't immediately visible since it happens in yet another
function. Thus themers overriding these functions to style profile
pages[1] inadvertently break access control, thus leading to the
misperception that overriding theme functions is inherently
dangerous[2].
[1] http://drupal.org/node/16011
[2] http://drupal.org/node/16821
robertDouglass
More information about the drupal-devel
mailing list